In a post, the team said they had called the operation CostaRicto and that its targets has been observed in India, Bangladesh, Singapore, China, the US, Bahamas, Australia, Mozambique, France, the Netherlands, Austria, Portugal and the Czech Republic.
The most attacks by this operation had been in India, Singapore and Bangladesh.
The team found that the command and control servers used in attacks were managed either through Tor or a layer of proxies, with a network of SSH tunnels also set up in the victim's environment.
While the timestamps of payload stagers went back to 2017, it did not necessarily suggest that CostaRicto had been going for that many years with a different payload; it could be that stagers were being re-used with being recompiled by changing the C2 URLs through binary editing.
The team said the backdoor project used by CostaRicto was named Sombra - the name of an Overwatch game persona. Some domain names which were hard-coded in the backdoor binaries appeared to spoof legitimate domains.
But the victims affected by these backdoors were not related, indicating that existing infrastructure was being re-used for another purpose.
One IP address used by the backdoor domains had been used earlier in a phishing campaign by a state actor, but the team said this more likely to be a coincidence than to indicate any connection between the two.
"With the undeniable success of ransomware-as-a-service, it's not surprising that the cyber criminal market has expanded its portfolio to add dedicated phishing and espionage campaigns to the list of services on offer," the team said.
"Outsourcing attacks or certain parts of the attack chain to unaffiliated mercenary groups has several advantages for the adversary – it saves their time and resources and simplifies the procedures, but most importantly it provides an additional layer of indirection, which helps to protect the real identity of the threat actor."